[asterisk-dev] Notes from setting up SIP+TLS/RTP+DTLS
Joshua Colp
jcolp at digium.com
Sun Nov 9 18:32:48 CST 2014
Ben Klang wrote:
<snip>
>>
>>> The pjsip configuration keys are subtly different for SIP+TLS on the
>>> transport vs. RTP+DTLS on the endpoint. Examples:
>>>
>>> cert_file =X ; transport
>>> dtls_cert_file = X ; endpoint
>>> ; dtls_ prefix, weird but ok - srtp doesn’t appear to have a
>>> corresponding setting, so do we even need the prefix?
>
> sdes again here.
>
> Since SDES negotiates SRTP, it also uses certificates, right? I didn't notice any srtp_ prefixed confit options. Does it use the dtls_ prefixed ones?
It does not. Each side generates a key and this is included in the SDP
as the crypto attribute. That's why for SDES you need to protect the SIP
signaling, or else someone will know your encryption key. In the case of
DTLS since it's negotiated outside of the signaling it doesn't matter as
much. The most they could see is the fingerprint of the certificate on
each side.
Cheers,
--
Joshua Colp
Digium, Inc. | Senior Software Developer
445 Jan Davis Drive NW - Huntsville, AL 35806 - US
Check us out at: www.digium.com & www.asterisk.org
More information about the asterisk-dev
mailing list